CVE-2023-53982
Unknown Unknown - Not Provided
SQL Injection in PMB 7.4.6 ajax.php Enables Data Extraction

Publication date: 2025-12-23

Last updated on: 2025-12-23

Assigner: VulnCheck

Description
PMB 7.4.6 contains a SQL injection vulnerability in the storage parameter of the ajax.php endpoint that allows remote attackers to manipulate database queries. Attackers can exploit the unsanitized 'id' parameter by injecting conditional sleep statements to extract information or perform time-based blind SQL injection attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-23
Last Modified
2025-12-23
Generated
2026-06-16
AI Q&A
2025-12-23
EPSS Evaluated
2026-06-15
NVD
CVE-2023-53982
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sigb pmb 7.4.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2023-53982 is a critical SQL injection vulnerability in PMB version 7.4.6. It exists in the 'storage' parameter of the ajax.php endpoint, specifically in the unsanitized 'id' parameter. This flaw allows remote attackers to inject SQL code, including conditional sleep statements, enabling time-based blind SQL injection attacks. Through this, attackers can manipulate database queries to extract sensitive information or perform other unauthorized database operations. [3, 4]

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive data by allowing attackers to extract information from the database. It can also enable attackers to manipulate or alter data integrity and potentially cause denial of service by locking or delaying database operations. The high CVSS scores indicate a severe impact on confidentiality and integrity, with low impact on availability. [3, 4]

Detection Guidance

This vulnerability can be detected by testing the 'id' parameter of the ajax.php endpoint with SQL injection payloads that cause time delays, such as conditional sleep statements. For example, using the sqlmap tool with the command: sqlmap -u "http://localhost/pmb/opac_css/ajax.php?categ=storage&datetime=undefined&id=1&module=ajax&sub=save&token=undefined" -p "id" can help identify the SQL injection vulnerability by injecting payloads and observing response delays. [3]

Mitigation Strategies

Immediate mitigation steps include updating PMB to a version that patches this SQL injection vulnerability, such as versions later than 7.4.6. If an update is not immediately possible, restrict access to the vulnerable ajax.php endpoint, implement web application firewall (WAF) rules to block malicious SQL injection payloads targeting the 'id' parameter, and monitor for suspicious activity. Applying input validation and sanitization on the 'id' parameter is also recommended. [4, 3]

Compliance Impact

The vulnerability allows remote attackers to extract sensitive information from the database through SQL injection, which can lead to unauthorized access and data leakage. Such data breaches can compromise compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access and ensuring data integrity. Therefore, exploitation of this vulnerability could result in non-compliance with these standards due to potential exposure of confidential information. [3, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-53982. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart